Introduction to Spectre & Meltdown CPU Vulnerabilities

One way to block these attacks is to empty the memory caches at certain times, eliminating exfiltrated information before the attacker can access it. Downloading the cache after each system call would probably block a wide range of speculative attacks, but it would also slow down the system to the point that users would look for ways to deactivate the mechanism. The security of the information is very important, but the costs are too high when emptying the memory caches reduces precious production time.

Attacks that use speculative-execution involve convincing the processor to speculate on a route that non-speculative-execution will not follow. For example, a kernel function may contain a limit check that will prevent the code from accessing beyond the end of an array, which will cause an error to be returned. An attack that uses the Spectre vulnerability will skip that check in a speculative way, accessing data that the code was written specifically not to access. The error return is a clue that maybe something inappropriate is happening, but by then, the damage will be done.

How to check if your Linux server is vulnerable to Spectre CPU bugs

Spectre & Meltdown Checker is a shell script that checks for the following Intel/AMD/ARM and other CPUs for bugs:

CVE-2017-5753: bounds check bypass (Spectre Variant 1). You need to recompile software and kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code. The performance impact of the mitigation is negligible.

CVE-2017-5754: rogue data cache load (Meltdown). You must install updated kernel version with PTI/KPTI patches. Updating the kernel is enough. The performance impact of the mitigation is low to medium.

spectre-meltdown-checker.sh is a simple shell script to find out if your Linux kernel (installation) is vulnerable against the 3 “speculative execution” CVEs.

Installation

The script must be run as root user. You can view source code below. Use the wget command or curl command to grab the source code on your Linux box:

How to check Linux for Spectre and Meltdown vulnerability

Another output from my CentOS 7.x server where Meltdown/Spectre v1 was patched with Kernel:

$ sudo sh spectre-meltdown-checker.sh

How to install/update Intel microcode firmware on Linux?

A microcode is nothing but CPU firmware provided by Intel or AMD. The Linux kernel can update the CPU’s firmware without the BIOS update at boot time. Processor microcode is stored in RAM and kernel update the microcode during every boot. These microcode updates from Intel/AMD needed to fix bugs or apply errata to avoid CPU bugs. This page shows how to install AMD or Intel microcode update using package manager or processor microcode updates supplied by Intel on Linux.

How to find out current status of microcode

Run the following command as root user:

# dmesg | grep microcode

Sample outputs:

How to install Intel microcode firmware on Linux using a package manager

Tool to transform and deploy CPU microcode update for x86/amd64 comes with Linux. The procedure to install AMD or Intel microcode firmware on Linux is as follows:

Warning: In some cases, microcode update may cause boot issues such as server getting hang or resets automatically at the time of boot. Do it at your own risk.

Examples

Type the following apt command/apt-get command on a Debian/Ubuntu Linux for Intel CPU:

$ sudo apt-get install intel-microcode

Sample outputs:

You must reboot the box to activate microcode update:

$ sudo reboot

Verify it after reboot:

# dmesg | grep 'microcode'

If you are using RHEL/CentOS try installing or updating the following two packages using yum command:

$ sudo yum install linux-firmware microcode_ctl

$ sudo reboot

$ sudo dmesg | grep 'microcode'

How to update/install microcode downloaded from Intel site?

Only use the following method when recommended by your vendor otherwise stick to Linux packages as described above. Most Linux distro maintainer update microcode via the package manager. Package manager method is safe as tested by many users.